Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
Module xm_syslog
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
Module xm_exec
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
define SecurityIDs 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, \
4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, \
4724, 4727, 4735, 4737, 4739, 4754, 4755, 4764, 4780, \
4816, 4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, \
4892, 4896, 4906, 4907, 4908, 4912, 4960, 4961, 4962, \
4963, 4965, 4976, 4977, 4978, 4983, 4984, 5027, 5028, \
5029, 5030, 5035, 5037, 5038, 5120, 5121, 5122, 5123, \
5376, 5377, 5453, 5480, 5483, 5484, 5485, 6145, 6273, \
6274, 6275, 6276, 6277, 6278, 6279, 6280, 4608, 4609, \
4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, 4634, \
4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, \
4698, 4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, \
4718, 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, \
4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, \
4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4767, \
4768, 4769, 4770, 4771, 4772, 4774, 4775, 4776, 4778, \
4779, 4781, 4783, 4785, 4786, 4787, 4788, 4789, 4790, \
4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, \
4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
4891, 4893, 4894, 4895, 4898, 5136, 5137, 4798, 4950, \
6416, 6424, 5024, 5025
define BitLockerIDs 24586, 24592, 24593, 24594
define EventlogID 1102
define SecuritySrc Microsoft-Windows-Security-Auditing
define BitLockerSrc Microsoft-Windows-BitLocker-Driver
define EventlogSrc Microsoft-Windows-Eventlog
Module im_msvistalog
if not (defined($SourceName) and
(($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%") or
($EventID IN (%BitLockerIDs%) and $SourceName == "%BitLockerSrc%") or
($EventID == %EventlogID% and $SourceName == "%EventlogSrc%")))
drop();
# Connect input 'in' to output 'out'
Path in => out